PLC Vulnerabilities: Sorting it All Out

Wednesday, June 15, 2011 @ 10:06 PM gHale

Editor’s Note: Eric Byres, chief technology officer at Byres Security, is keeping an eye on vulnerabilities on the Siemens S7 PLC product. The following is an excerpt from the third installment of his blog.
By Eric Byres
When it comes to looking at the Siemens S7 PLC vulnerabilities, one question still remains: Just what does this mean for the ICS/SCADA professional trying to protect his or her control system in a critical industrial facility.

Part of the discussion about the Siemens S7 PLC vulnerabilities discovered by Dillon Beresford at NSS Labs in May was about contradictory information circulated in an attempt to scrape out a few facts and guesses on what PLC products are actually affected and what the nature of the vulnerabilities are. Then we learned what the industry can take away from this situation.

While Siemens moved quickly to fix these vulnerabilities, the update notices and security advisories released June 10 are confusing. The Siemens S7-1200 V2.03 Firmware Update Notice simply states:

“S7-1200 CPU firmware update V2.0.3 improves the security and robustness of the S7-1200 product family.”
Head to the Siemens S7-1200 security notice on the web and a slightly better message appears:

“The latest firmware update for the S7-1200 will offer corrective action for enhancing protection against replay attacks as well as increased stability when facing the above-mentioned denial-of-service scenario. The firmware update will be available in June.”

All this seems pretty positive until we read the Security Advisory dated June 13. It acknowledges that there are two vulnerabilities in the S7-1200 product, namely the Replay attack and the Denial of Service attack we suspected earlier. But then the advisory goes on to say:

“The improvements for this system behavior will be addressed with the next firmware update”

and

“A password protected S7-1200 will, in the future (with the firmware update), no longer respond to recorded frames transmitted to the controller at a later time”

Does this mean the patches released on Friday do not address the problem? Or are the Siemens security and development teams not talking to each other?

Stay tuned as we try to sort this out.

In the mean time, we know S7-1200 PLCs are at risk of easy-to-execute DoS and replay attacks now. The DoS attacks are against the embedded web server on the PLC, and Siemens suggests that shutting that service down removes the vulnerability. The replay attack and the DoS attack might be solved by Friday’s patch (or it might not be).

The good news is that these micro PLCs are often implemented in standalone applications consisting of just the PLC and a simple local operator (touch) panel display. In these cases, it might just be safe to say they are ‘air-gapped’, and network-based attacks are not possible.

Now if this is not the case – the PLCs are on a more complex network – then defense in depth security is needed. First get that patch loaded ASAP. Hopefully it fixes both problems. But even if it does, remember the protocols are still clear text.

In this case you need to have your S7-1200 PLCs behind a firewall that restricts traffic to the core HMI servers (i.e. the computers that must communicate to the PLCs), and blocks dangerous protocols like HTTP (i.e. web traffic), or you are taking a risk.

Rate limiting traffic to the PLCs is also a good idea. Previous research by CERN suggests some Siemens PLCs may also be susceptible to traditional packet storm attacks. I don’t know if this applies to the S7-1200, but I would play it safe.

Note that I am NOT talking about a firewall between the business and corporate networks. In many companies, that leaves too many computers free to send whatever messages they want to the PLCs. Get one of those computers infected by USB key, CD or VPN and your PLCs could be sitting ducks.

Instead, firewalls separating ALL the PCs from the PLCs are recommended to sanitize the traffic coming to the PLCs. The ideal choice would be a deep packet inspection system that would detect malformed Siemens traffic, but that technology is not on the market yet. I hope that it shows up soon.

What about S7-300 and S7-400 PLCs? Siemens is very vague on this front. Probably these controllers are no more exposed than they have been for the past decade. Not that that is good – the HMI protocols are sent in clear text and the password authentication schemes may be flawed, especially against replay attacks.

These are serious exposures, but they are not new exposures. In fact, the issues of clear text protocols and weak authentication are endemic to the entire ICS/SCADA industry.

The bad news is that unauthenticated, clear text ICS and SCADA protocols is not an issue that can be fixed by patches. These protocols have been around since PLCs and RTUs were invented and will take years, if not decades, to replace. Nor will trying to hide the control system behind an air gap help. Only better management of ALL the traffic on the primary control network will provide security in the next decade.



Leave a Reply

You must be logged in to post a comment.